Generating SSL Certificate KEY and CSR using OpenSSL

This is likely more for myself than anyone else, because I’ve had to create so many KEY and CSR files recently for all sorts of third party devices and appliances. Assuming you have access to a Linux server with OpenSSL you can easily and quickly generate the private key and certificate request with very little hassle.

We need to generate the following pieces:

Generate a private key for this specific use

Using the private key generate Certificate Signing Request (CSR)

Have the CSR signed by a private or public Certificate Authority which will provide the certificate

Upload the private key and signed certificate to your device or system.

Let’s start by creating a directory just for this specific certificate, makes it easier to track all the files we’ll have when we’re complete. In this example I’m going to request a certificate for a Cisco ASA to be used with the Cisco AnyConnect VPN client, vpn.acme.com.

mkdir ~/vpn.acme.com/
cd ~/vpn.acme.com/

Let’s generate a private key, using a key size of 4096 which should future proof us sufficiently.

openssl genrsa -out vpn.acme.com.key 4096

Now let’s generate a SHA 256 certificate request using the private key we generated above.

openssl req -new -sha256 -key vpn.acme.com.key -out vpn.acme.com.csr

We now need to take the certificate request and have that signed by a Certificate Authority. The resulting certificate (filename: vpn.acme.com.crt) will need to be installed along with the private key onto the appliance or device that we’re generating the certificate for.

Since we’re working with a Cisco ASA we need to combine the private key, certificate and any intermediate certificate authorities into a single PKCS12 file so we can upload that file into our Cisco ASA. Again we’ll use OpenSSL for this task and it’s pretty easy. (You’ll be prompted to set a password on the file, make sure you don’t forget it because you’ll need it to upload the file into the Cisco ASA).

Comments

Thank you for your ssl-guidance. Just one note regarding keysize. If the keysize is largen than 2048 bits, the certificate can not be used for securing the the webssl/anyconnect.

“2. ASA currently does not support 4096 bit keys (Cisco bug ID CSCut53512) for SSL server authentication. However, IKEv2 does support the use of 4096 bit server certificates on the ASA 5580, 5585, and 5500-X platforms alone. ”